Re: Free space counter for C D and E drive in tabl...

ravir_jbp · ‎03-02-2021

Below are the event count in splunk. I am trying to create "% Free Space" for all three drive (C:, 😧 E).

03/02/2021 23:07:18.422 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=D: Value=98.36774827925271 Show all 6 lines host = YYYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM ====================== 03/02/2021 23:07:18.422 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=C: Value=43.369467322069944 Show all 6 lines host = YYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM ======================== 03/02/2021 23:07:18.949 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=E: Value=71.4197915987671 Show all 6 lines host = YYYYYYYY source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM =========================== 03/02/2021 23:07:18.949 -0600 collection=LogicalDisk ... 1 line omitted ... counter="% Free Space" instance=D: Value=59.03638151425762 Show all 6 lines host = ZZZZZZZZZZ source = Perfmon:LogicalDisksourcetype = Perfmon:LogicalDisk 3/2/21 11:07:18.000 PM

Below splunk script is not working as expected also need the Value field in round(currently getting decimial) Looking for Drive free space in table format for each host that I added in the script. Please help

index=perfmon host=XXXXXXX OR host=YYYYYY OR host=ZZZZZZZZ sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value |sort counter, Value| stats values(Value), values(instance), values(host) | table values(host) values(instance) values(Value) | rename values(host) as Hostname, values(instance) as drive, values(Value) as Totalfree%

ITWhisperer · ‎03-02-2021

In what way is it not expected?

Have the events already been split, each beginning with a timestamp?

Have the fields mentioned already been extracted?

ravir_jbp · ‎03-03-2021

Hello ITWhisperer,

I am getting the results like attached as a screenshot below. I have added 5 servers but I am only seeing C, D and E frm each server also the Totalfree is not into proper table format. What I am expecting is to get C, D and E column for each server and Total free value under those C, D and E drives.

ITWhisperer · ‎03-03-2021

Values in your stats command is removing duplicates - try list instead

| stats list(Value), list(instance), list(host)

ravir_jbp · ‎03-03-2021

Hi,

I have modified the script

index=perfmon host=XXXX OR host=YYYY OR host=ZZZZ sourcetype="Perfmon:LogicalDisk" counter="% Free Space" instance="C:" OR instance="D:" OR instance="E:" Value |dedup instance| sort counter, Value| stats list(Value), list(instance), list(host) | rename list(Value) as Free%, list(instance) as Drives. But this time I only see data for one server though i have added three servers.

If you see below screenhost from the results I am only getting data for server XXX. I added multiple servers as YYY and ZZZ. Can you suggest on how to fix this. Also The free% seems to be in decimal value. How we can make it round value as well.

ITWhisperer · ‎03-03-2021

eval Value=round(Value,0)

ITWhisperer · ‎03-03-2021

dedup instance is finding the first event for each drive - try

dedup instance host

ravir_jbp · ‎03-03-2021

THank you so much !!! it worked for me... I appreciate your help

Free space counter for C D and E drive in table format for multiple Windows server

stats

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM